I looked through the manual (600+ pages, ugh!) and *thought* I had an idea on how to set up my test XG85...
My current Fortigate has the WAN, LAN, and DMZ ports active.
I replicated the settings for the interfaces, even found where DHCP settings were to turn that on for the DMZ (our tech shop network for client systems).
We generally block SMTP out from anything on the LAN other than the mail server by having the mail server SMTP out rule first, then the all to all rule after that with deny. Other than that, there's no restrictions. And that SMTP out rule actually is set to use an IP pool so the IP that the internet expects for us to send mail from is *NOT* the default public IP that is used for the normal traffic. I have another IP pool address used for DMZ out for the same reason, so that an infected machine, even if it gets the IP on a blacklist, is actually blacklisting an IP that's not used by anything else.
I have a bunch of inbound rules for various services - some non standard RDP ports for remote access to a couple systems, normal SSL for my exchange server, SMTP allowed only from my Barracuda that's colocated at an ISP's site, security camera system with a bunch of non standard ports. These were easy to duplicate on the XG85, and I actually like several things in the UI that I see as improvements over using the Fortigates...
However, when I unplugged the fortigate and set this in its place, the only thing that worked was the default outbound for web browsing and such from LAN to WAN. I had no issues. But the DMZ, while it could ping the DMZ and WAN port IP"s, wasn't allowed traffic out although that had the default allow all rule from DMZ to WAN.
Not a single inbound rule worked.
Clearly I'm missing something that must be blazingly obvious except that I'm coming from sonicwalls, fortigates, and such, and there's something somewhere that I must be utterly missing.
Where can I start trying to troubleshoot this? My inbound rules followed the guidelines I found online as far as using non http based policies, setting the source, then the WAN info (interface and public IP) for hosted server, then the internal info under "protected application server".
One thing I'm wondering, with the other firewalls i'm used to, when the public static info is like /40, I only have to put the actual default IP that the firewall will be using if nothing else is specified in the interface. All the other IP addresses are part of policies or VIP setups. But maybe that isnt' the case here? Do I have to manually add every IP address to that external interface for rules using those IP's to work?
Thanks for any help. I'd LOVE to get this tackled, since I like the UI and functionality of monitoring so much more than the fortigates, and my clients will just LOVE the price difference...
John
This thread was automatically locked due to age.
